cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
352
Views
0
Helpful
6
Replies

AAA authorization issue !

illusion_rox
Level 1
Level 1

hi all, i have a new network engineer who needs just show access to our routers. i am using cisco acs 3.3 ( windows ) to handle AAA. now i have given this user privilige 14 and he is able to show all the commands except show running-config. i need to provide him access to this command ( its important), since i cant do any authorization in priv 15 so any one has any idea how to achieve this in level 14 ?

6 Replies 6

Wantser1981_2
Level 1
Level 1

I am not sure on 3.3, but on 4.1 I would create a command authorisation set permitting only the use of the show command, but allowing the user to have priv15.

I have done this for our helpdesk.

You may want to create another group or so that you can dump future users in there with just "show" access.

Create the authorisation set, assign that set to the group and then dump that user into said group.

Hope this helps

Andy

Ovais

Be aware of a restriction in show running-config with privilege levels. You can grant access to show running-config but the person will not see things in show running that they do not have access to change. So if they can not change anything they will see pretty much nothing in show running. You might check on using show startup-config, which I believe does not have the same restriction.

HTH

Rick

HTH

Rick

Dear Rburts, i have tried using show startup-config but the parameter isnt simply there !! same with show running-config.

Hi,

Both show startup-config and show running-config are priv 15 level commands.

If you assign 15 as a level to the user and only authorise the command set of "show" and then arguments "permit running-config" it will allow your user to access these commands plus all other show commands. conf, clear etc etc will not be authorised so will fail.

Andy

hi Andy, i have tried this as well, i assigned the user level 15 and then only permitted him show running-config but it didnt work, i asked a question like this before also and some 1 told me that we cant do any type of filtering in level 15, its not possible, so wat u guys think ?

Thanks again for the feedback

Well I am doing it so i would suggest that is untrue!

Whether it is slightly different in 3.3 though I am unsure.

I have attached a quick screen shot of the command set and group setting for allocating that command set to that group. Oddly, just adding the permit statement for running-config and interface has enabled all show commands only. You do need to specify running-config for it to work.

Might shed some light....

Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: